import pytest

from src.server.services.auth_service import AuthError, AuthService, LockedOutError


def test_setup_and_validate_success():
    svc = AuthService()
    password = "Str0ng!Pass"
    svc.setup_master_password(password)
    assert svc.is_configured()

    assert svc.validate_master_password(password) is True

    resp = svc.create_access_token(subject="tester", remember=False)
    assert resp.token_type == "bearer"
    assert resp.access_token

    sess = svc.create_session_model(resp.access_token)
    assert sess.expires_at is not None


@pytest.mark.parametrize(
    "bad",
    [
        "short",
        "lowercaseonly",
        "UPPERCASEONLY",
        "NoSpecial1",
    ],
)
def test_setup_weak_passwords(bad):
    svc = AuthService()
    with pytest.raises(ValueError):
        svc.setup_master_password(bad)


def test_failed_attempts_and_lockout():
    svc = AuthService()
    password = "An0ther$Good1"
    svc.setup_master_password(password)

    identifier = "test-ip"
    # fail max_attempts times
    for _ in range(svc.max_attempts):
        assert (
            svc.validate_master_password("wrongpassword", identifier=identifier)
            is False
        )

    # Next attempt must raise LockedOutError
    with pytest.raises(LockedOutError):
        svc.validate_master_password(password, identifier=identifier)


def test_token_decode_invalid():
    svc = AuthService()
    # invalid token should raise AuthError
    with pytest.raises(AuthError):
        svc.decode_token("not-a-jwt")